nixos-config/modules/gitea/default.nix

{ pkgs
, config
, lib
, ...
}:
with lib; let
  cfg = config.eboskma.gitea;
  giteaCfg = config.services.gitea;
in
{
  options.eboskma.gitea = { enable = mkEnableOption "gitea"; };

  config = mkIf cfg.enable {
    services.gitea = {
      enable = true;
      user = "git";
      domain = "git.datarift.nl";
      appName = "Gitea Datarift";
      rootUrl = "https://git.datarift.nl/";
      lfs = {
        enable = true;
      };

      database = {
        type = "postgres";
        socket = "/run/postgresql";
        passwordFile = "/run/secrets/gitea_db_password";
        createDatabase = false;
        user = "git";
      };

      settings = {
        security = {
          PASSWORD_HASH_ALGO = "argon2";
          DISABLE_GIT_HOOKS = false;
        };

        log.LEVEL = "Warn";

        database = {
          LOG_SQL = false;
        };

        repository = {
          ENABLE_PUSH_CREATE_USER = true;
          ENABLE_PUSH_CREATE_ORG = true;
        };

        service = {
          DEFAULT_KEEP_EMAIL_PRIVATE = true;
          DISABLE_REGISTRATION = true;
        };

        picture = {
          ENABLE_FEDERATED_AVATAR = true;
        };

        session = {
          PROVIDER = "db";
          SAME_SITE = "strict";
          COOKIE_SECURE = true;
        };

        webhook = {
          ALLOWED_HOST_LIST = "external,10.0.0.202/32,drone.datarift.nl";
        };
      };
    };

    networking.firewall.allowedTCPPorts = [ 3000 ];

    users.users.git = {
      description = "Gitea service user";
      home = giteaCfg.stateDir;
      useDefaultShell = true;
      group = "gitea";
      isSystemUser = true;
    };

    services.postgresql = {
      enable = true;
      # Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases:
      # https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading
      package = pkgs.postgresql_14;

      ensureDatabases = [ "gitea" ];
      ensureUsers = [
        {
          name = "git";
          ensurePermissions = {
            "DATABASE gitea" = "ALL PRIVILEGES";
          };
        }
      ];
    };
  };
}